Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 28, 2023, 9:49 a.m.	Feb. 28, 2023, 9:49 a.m.

Size	472.2KB
Type	UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5	`d890790d347c384831829e9fbf7c37a4`
SHA256	`9a7061a539333e9f833a589197a60258ebb820bba5f1f29d5b31453e8e392d0f`
CRC32	`1BFB4264`
ssdeep	`3072:HLgY43N8IAEl0AdLW07yCw+rv0ZHqHYZJxQr1Ec:74983El0AdLW07yCwyHeJxQv`
Yara	hide_executable_file - Hide executable file anti_vm_detect - Possibly employs anti-virtualization techniques PowerShell_Script_Include_2_Zero - PowerShell Script Include [Zero] PowerShell_Script_MZ_Zero - PowerShell Script MZ [Zero]

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\73cceb_040c8f8f0c5d41c1b97ed24ca31199db.txt.ps1
2552
- schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn EscansUpdate /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\WindowsDEFENDERUPDATE.js"
  2724
- schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 200 /tn EscanDissldo /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\UpdateEscan.js"
  2856

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Feb. 28, 2023, 9:49 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Feb. 28, 2023, 9:49 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (41 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: Directory: C:\ProgramData console_handle: 0x00000023	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: Mode LastWriteTime Length Name console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: d---- 2023-02-28 오전 9:49 MEMEMAN console_handle: 0x00000037	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: The term '£££' is not recognized as the name of a cmdlet, function, script file console_handle: 0x00000023	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: , or operable program. Check the spelling of the name, or if a path was include console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: d, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: At line:5 char:5 console_handle: 0x00000047	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + (£££ <<<< (£££(£££ $AMI))) \| .('{x}{9}'.replace('9','0').replace('x','1')-f' console_handle: 0x00000053	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: Pussy','%%').replace('%%','I').replace('Pussy','EX') console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + CategoryInfo : ObjectNotFound: (£££:String) [], CommandNotFound console_handle: 0x0000006b	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: Exception console_handle: 0x00000077	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000023	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: At line:15 char:18 console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + $o = $h.GetMethod <<<< ($k) console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + CategoryInfo : InvalidOperation: (GetMethod:String) [], Runtime console_handle: 0x00000047	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: Exception console_handle: 0x00000053	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000007f	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: At line:22 char:10 console_handle: 0x0000008b	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + $o.Invoke <<<< ($hh, ($V4,$Ripple)) console_handle: 0x00000097	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x000000a3	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: eption console_handle: 0x000000af	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000bb	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000db	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: At line:23 char:10 console_handle: 0x000000e7	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + $o.Invoke <<<< ($hh, ($V2,$Ripple)) console_handle: 0x000000f3	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x000000ff	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: eption console_handle: 0x0000010b	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000117	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000137	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: At line:24 char:10 console_handle: 0x00000143	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + $o.Invoke <<<< ($hh, ($V3,$Ripple)) console_handle: 0x0000014f	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x0000015b	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: eption console_handle: 0x00000167	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000173	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: VERBOSE: Performing operation "Copy File" on Target "Item: C:\ProgramData\MEMEMAN\CypherDeptography.~+~ Destination: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CypherDeptography.~+~". console_handle: 0x0000001b	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: VERBOSE: Performing operation "Copy File" on Target "Item: C:\ProgramData\MEMEMAN\UpdateEscan.js Destination: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UpdateEscan.js". console_handle: 0x00000027	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: VERBOSE: Performing operation "Copy File" on Target "Item: C:\ProgramData\MEMEMAN\WindowsDEFENDERUPDATE.js Destination: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDEFENDERUPDATE.js". console_handle: 0x00000033	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: SUCCESS: The scheduled task "EscansUpdate" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 28, 2023, 9:49 a.m.	buffer: SUCCESS: The scheduled task "EscanDissldo" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (11 events)

Time & API	Arguments	Status	Return
CryptExportKey Feb. 28, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003aaef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 28, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003aaef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 28, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003aaef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 28, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003aaef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 28, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003aaef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 28, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003aaef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 28, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003aaef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 28, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003aaef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 28, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003aaef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 28, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003aaef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 28, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003aaef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 28, 2023, 9:49 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (30 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05651000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0565a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0565b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0565c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2023, 9:49 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0565d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\ProgramData\MEMEMAN\WindowsDEFENDERUPDATE.js
file	C:\ProgramData\MEMEMAN\UpdateEscan.js

Creates a suspicious process (2 events)

cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 200 /tn EscanDissldo /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\UpdateEscan.js"
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn EscansUpdate /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\WindowsDEFENDERUPDATE.js"

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Kaspersky	HEUR:Trojan.PowerShell.Kryptik.gen
ZoneAlarm	HEUR:Trojan.PowerShell.Kryptik.gen
Google	Detected
AhnLab-V3	Trojan/PowerShell.Agent.SC185668
Ikarus	Trojan-Dropper.VBS.Agent

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 200 /tn EscanDissldo /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\UpdateEscan.js"
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn EscansUpdate /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\WindowsDEFENDERUPDATE.js"

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 200 /tn EscanDissldo /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\UpdateEscan.js"
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn EscansUpdate /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\WindowsDEFENDERUPDATE.js"

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 200 /tn EscanDissldo /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\UpdateEscan.js"
parent_process	powershell.exe				martian_process	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn EscansUpdate /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\WindowsDEFENDERUPDATE.js"

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\schtasks.exe

73cceb_040c8f8f0c5d41c1b97ed24ca31199db.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All